Having capabilities to gather data stealthily, or having specific victims are two key characteristics present in malware used for state-sponsored attacks, but it is increasingly hard to tell them apart from tools by cybercriminals, let alone attribute their origin.

Cybercriminals have evolved from using "broad, scattershot approaches" of mass-market malware to sophisticated and unique malware used to steal valuable information such as sensitive data, intellectual property, authentication credentials or insider information, Phil Lin, director of product marketing at FireEye, noted.

Most state-sponsored malware are designed for activities such as data-gathering, cyberespionage or sabotage, she explained.

Elaborating, Lin noted these malware often have particular data-stealing capabilities, communicating back to certain regions and countries in the world, using advanced infiltration tactics, and employing multiple data theft mechanisms.

Nation-sponsored malware also have specific targets, unlike the usual cybercriminals who aim to hit as many victims as possible, Luis Corrons, technical director of Panda Security's PandaLabs, observed.

For instance, Stuxnet, which has been linked to Israel, had a very specific target--a uranium enrichment plant in Natanz, Iran, he remarked. Another case was with Flame virus, uncovered in May, with targets located in certain Middle Eastern countries, a region with a lot of political and economical interest, he pointed out.

When the victims or targets are limited to specific groups, it is an indicator that the attacker is only interested in gathering intelligence and conducting espionage, Pilao added.

Attack attribution the hardestStill, all of these characteristics can also be found in advanced malware used by cybercriminals for regular attacks, which makes the geographical attribution of cyberattacks "the most difficult task", Lin observed.

"Cybercriminals from one country can easily set up 'command and control (C&C)' servers used to store exfiltrated data in a different country leading to incorrect attribution of the nationality of the threat actors, not to mention their ultimate nation-state ties," he explained

It is also "extremely unlikely" a country will openly admit sponsoring attacks, Corrons added.

The level of sophistication of attacks by these malware also make them harder to detect and be prevented by the target organization or institution, Pilao added. While they are usually created by professionals, many non-professional code writers can also create and deploy their own malware and be successful at it, she added.

In order to uncover the threat actors, a thorough digital forensic examination of the advanced targeted attack lifestyle, from exploit to exfiltration, should always be carried out within the enterprise and government infrastructure, Lin advised.